Hi Sergey, Colm,
Sorry for not answering before, I wanted to test your suggestion, but had a
hard time with my environment.
Anywa here it is, when I remove authentication checks [1], I have a 401 (see
[2]) on
http://localhost:8080/oidc/idp/authorize?client_id=NWuw2CijNchtRQ&redirect_uri=http://localhost:9999/dashboard/login&response_type=code&scope=openid&state=blabla
So +1 for adding Authenticated role !
Thanks,
[1] my new web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Whitelist access</web-resource-name>
<url-pattern>/idp/*</url-pattern>
</web-resource-collection>
</security-constraint>
[2] Error 401 due to :
2016-07-18 13:26:56,954 [http-apr-8080-exec-10] WARN
org.apache.cxf.jaxrs.impl.WebApplicationExceptionMapper -
javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
at
org.apache.cxf.jaxrs.utils.SpecExceptions.toNotAuthorizedException(SpecExceptions.java:94)
at
org.apache.cxf.jaxrs.utils.ExceptionUtils.toNotAuthorizedException(ExceptionUtils.java:130)
at
org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService.getAndValidateSecurityContext(RedirectionBasedGrantService.java:423)
at
org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService.startAuthorization(RedirectionBasedGrantService.java:123)
at
org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService.authorize(RedirectionBasedGrantService.java:93)
at
org.apache.cxf.rs.security.oauth2.services.AuthorizationService.authorize(AuthorizationService.java:58)
De : Colm O hEigeartaigh <[email protected]>
À : "[email protected]" <[email protected]>
Envoyé le : Lundi 18 juillet 2016 15h26
Objet : Re: 403 with CXF OIDC when user has roles
Actually, this won't work. We need to specify a role to get the Tomcat
filters to kick in. What I'll do is add the "Authenticated" role to the
list of roles in the filters, if a configuration option is set to true.
Colm.
On Mon, Jul 18, 2016 at 12:28 PM, Sergey Beryozkin <[email protected]>
wrote:
> +1,
>
> Cheers, Sergey
> On 18/07/16 14:18, Colm O hEigeartaigh wrote:
>
>> I think we could just get rid of them for the non-console part of the OIDC
>> IdP. For the normal RP case, you want to make sure that only authenticated
>> users in a given role can access the application. But here we're just
>> logging users in, so I don't think we need to specify a constraint on the
>> role.
>>
>> Colm.
>>
>> On Mon, Jul 18, 2016 at 12:11 PM, Sergey Beryozkin <[email protected]>
>> wrote:
>>
>> One thing to note is that these roles in fediz-oidc/web.xml is a
>>> temporarily side-effect of the fact that OIDC is implemented right now as
>>> Fediz WS-Fed RP (meaning that internally, when the user is actually
>>> authenticated, OIDC talks to the core Fediz IDP using WS-Fed which is
>>> transparent to the user).
>>> And because OIDC is Fediz RP right now, it is like any other web
>>> application protected by Fediz Authenticators and hence I simply copied
>>> the roles from a based Fediz demo when prototyping the initial Fediz OIDC
>>> web.xml.
>>>
>>> So I wonder can we simply get rid of those roles ? I recall it was quite
>>> sensitive. Or may be fix something at the Fediz core level not to lose
>>> 'Authenticated' ?
>>>
>>> Either way these roles will go once we have OIDC and IDP combined with
>>> OIDC becoming a real IDP itself...
>>>
>>> Cheers, Sergey
>>>
>>>
>>>
>>> On 18/07/16 13:58, Colm O hEigeartaigh wrote:
>>>
>>> Hi Adrian,
>>>>
>>>> I suppose the question is why you need to specify a role constraint at
>>>> all
>>>> for the OIDC authorization call? If you're happy to allow any
>>>> authenticated
>>>> user access, then why have a constraint on the role of the user?
>>>>
>>>> Colm.
>>>>
>>>> On Mon, Jul 18, 2016 at 10:51 AM, Adrian Gonzalez <
>>>> [email protected]> wrote:
>>>>
>>>> Hello,
>>>>
>>>>> I'm using CXF OIDC.When my Client Application redirects a user to OIDC
>>>>> and
>>>>> the user is not associated with any role in sts side, then everything
>>>>> works
>>>>> fine.
>>>>> When I associate the user with at least 1 roles, I've got a 403 on this
>>>>> request :
>>>>>
>>>>>
>>>>> http://localhost:8080/oidc/idp/authorize?client_id=XXX&redirect_uri=http://localhost:9999/dashboard/login&response_type=code&scope=openid&state=YYY
>>>>> From
>>>>>
>>>>>
>>>>> https://github.com/apache/cxf-fediz/blob/master/plugins/tomcat8/src/main/java/org/apache/cxf/fediz/tomcat8/handler/TomcatSigninHandler.java#L54
>>>>> :
>>>>> * When user has no roles, tomcat handler adds 'Authenticated' role.
>>>>> *
>>>>> When user has 1..n roles, no 'Authenticated' role is added.
>>>>> As a workaround, I could give everyone of my users an Authenticated
>>>>> role,
>>>>> but it seems a bit artificial.Shouldn't TomcatSigninHandler.java
>>>>> systematically add Authenticated role ?
>>>>> Thanks,Adrian
>>>>>
>>>>> P.S.Here's the extract of my web.xml : <security-role>
>>>>> <role-name>Manager</role-name>
>>>>> </security-role>
>>>>> <security-role>
>>>>> <role-name>User</role-name>
>>>>> </security-role>
>>>>> <security-role>
>>>>> <role-name>Admin</role-name>
>>>>> </security-role>
>>>>> <security-role>
>>>>> <role-name>Authenticated</role-name>
>>>>> </security-role>
>>>>> <security-constraint>
>>>>> <web-resource-collection>
>>>>> <web-resource-name>User Protected
>>>>> Area</web-resource-name>
>>>>> <url-pattern>/idp/*</url-pattern>
>>>>> </web-resource-collection>
>>>>> <auth-constraint>
>>>>> <role-name>*</role-name>
>>>>> </auth-constraint>
>>>>> </security-constraint>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>> --
>>> Sergey Beryozkin
>>>
>>> Talend Community Coders
>>> http://coders.talend.com/
>>>
>>>
>>
>>
>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
